SSO autologin to Nextcloud

My YunoHost server

Hardware: VPS bought online
YunoHost version: 4.2.8.3
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hi,

I’ve a simple question about SSO.
I installed the Nextcloud application, and I was expected to be automatically logged in to nextcloud if I was already logged in to Yunohost.
Is this the way it should work ?
And if so, what could I check to solve this bug ?

Best regards,


Pierre

Hi Pierre,

SSO is supposed to log you in to Nexctloud when you click on the coloured square after you logged in to Yunohost.

There are ways to break it, I think, for example by changing your password in Nextcloud.

Do your other apps work with SSO or do they have problems as well?

Have you been using Nexctloud for a while by now, or would it be easier to reinstall Nextcloud instead of troubleshooting?

Hi,

Thank you for your answer.

Our other apps does not seem ready for SSO (Mailman3, Gitea).
But I can install any app for testing, if you recommend one :slight_smile:

We were using Nextcloud for years, and we migrated to Yunohost a few month ago.
We develop some scripts to re-create data in Nextcloud, but the users were created through the Yunohost API.
So, maybe there was something wrong here ?
It would be possible to reinstall Nextcloud, but it would take some time.

A maybe-related bug : regularly, some users can’t login to Nextcloud, without any error message (neither the website, nor the JS console, nor the server logs).
We need to clear cookies in order to login again.

Regards

We think we found a possible cause : yunohost is installed in a subdomain, and Nextcloud is using another “sibling” subdomain !
So the cookie domain is wrong…

1 Like

Sharp! In my cases, Nextcloud is either installed on the Yuno-domain in a subdirectory (eg, online.osba.nl/nextcloud, with online.osba.nl as main domain), or in a subdomain of the Yuno-domain (cloud.fakraz.nl with the main domain at fakraz.nl).

In your case, I expect Yunohost’s main domain to be (for example) yunohost.grubhska.fr, with Nextcloud on nextcloud.grubhska.fr ? Still, both are installed on the same server, are they not?

That’s it, everything is on the same server.

Because of the migration we made wrong decision about subdomains : before Yunohost, we had only Nextcloud on cloud.domain.com.
So, we installed Yunohost on cloud1.domain.com and Nextcloud on cloud.domain.com.
But this still needed users to change their email client configuration…

So we just decided to change everything and make a clearer configuration.
We can’t put Yunohost on domain.com because it’s the website of our association.

Ideally, we would have Yunohost on something like portal.domain.com, and nextcloud on cloud.domain.com, however I don’t like email server to be “portal.domain.com:slight_smile:
I don’t know if we can have a different subdomain for email server, I tried but I had client complaining about wrong certificate domain, and I saw wildcard certificate are not yet supported.

We need some more reflexion and investigation here !

I think it is possible to:

The idea is to have no change for visitors of https://domain.com, because they can keep visiting the old address, and Yunohost will forward them.

I see two possible problems:

  1. Yunohost will try to catch all traffic to addresses on the domain and redirect to the default page, or another configured page/app. There is, in this case, no domain configured and no app installed at www.domain.com (at least, not in Yunohost). I think the definition of the domain www.domain.com is needed in Yunohost, perhaps in combination with installation the ‘custom webapp’ on www.domain.com to ‘punch a hole’ in Yunohost security to allow access to your website.
  2. Existing links (on the web) to https://domain.com/news/2021/new_website_is_live (for example), might break: they will be redirected to https://www.domain.com. I am quite sure that the redirect app can be configured to correctly forward to https://www.domain.com/news/2021/new_website_is_live (including the www in front). The redirect app is an Nginx-configuration, and is quite flexible.

Thinking some more about it, maybe you can even install both Yunohost and the association website at the main domain, as long as you configure the custom web app in Yunohost to allow traffic to your website (for each of the paths in your website, so perhaps you need a custom webapp for https://domain.com/news, one for https://domain.com/contact, etc).